b"  BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM\n\n\n\n\n         INSPECTION OF\n  FEDERAL RESERVE EXAMINATION\n    PRACTICES FOR ASSESSING\nFINANCIAL INSTITUTIONS\xe2\x80\x99 OFFICE OF\n  FOREIGN ASSET CONTROL (OFAC)\n     COMPLIANCE PROGRAMS\n\n\n\n\n                                             OIG\n                                      Office of Inspector General\n                                                 September 2007\n\x0cMr. Rog\n\n\n\n\n                                         September 28, 2007\n\n\nMr. Roger T. Cole\nDirector, Banking Supervision and Regulation\nBoard of Governors of the Federal Reserve System\nWashington, D.C. 20551\n\nDear Mr. Cole:\n\n      The Office of Inspector General (OIG) of the Board of the Governors of the Federal\nReserve System (Board) has completed an inspection of examination practices associated with the\nOffice of Foreign Assets Control (OFAC) component of Bank Secrecy Act (BSA) examinations\nconducted at financial institutions regulated by the Federal Reserve. OFAC, an entity within the\nU.S. Department of the Treasury, administers and enforces economic and trade sanctions against\ntargeted foreign countries, terrorists, international narcotics traffickers, and those engaged in\nactivities related to the proliferation of weapons of mass destruction. As part of its enforcement\nefforts, OFAC distributes a list of individuals and entities that are controlled by, or are acting for\nor on behalf of, targeted countries. The list also includes individuals and entities such as terrorists\nand narcotics traffickers designated under programs that are not country-specific. These\nindividuals and entities are called Specially Designated Nationals and Blocked Persons (SDN).\nOFAC regulations require financial institutions to block or reject accounts and transactions that\ninvolve any persons, entities, or countries that are included on the SDN list. Civil penalties can\nbe imposed by OFAC when a financial institution processes a transaction that should have been\nblocked or rejected.\n\n      Although not required by specific regulation, financial institutions are expected to maintain\na written, risk-focused program of compliance with OFAC requirements, as a matter of sound\nbanking practice. While federal bank regulatory agencies do not have a primary role in\nidentifying OFAC violations, they are responsible for evaluating the sufficiency of policies,\nprocedures, and processes that a bank follows to comply with OFAC laws and regulations.\nFederal Reserve examiners perform OFAC reviews as part of the Bank Secrecy Act/Anti-Money\nLaundering (BSA/AML) assessments that they conduct during safety and soundness\nexaminations. The Federal Financial Institutions Examination Council's Bank Secrecy Act/Anti-\nMoney Laundering Examination Manual (Manual) establishes the principles and procedures\ngoverning OFAC reviews. According to the Manual, examiners are responsible for assessing a\nfinancial institution\xe2\x80\x99s risk-based OFAC program to evaluate whether it is appropriate for the\ninstitution\xe2\x80\x99s OFAC risk, considering the institution\xe2\x80\x99s products, services, customers, transactions,\nand geographic locations.\n      The objective of this inspection was to assess Federal Reserve examiners\xe2\x80\x99 compliance\nwith the OFAC examination guidance set forth in the Manual. To accomplish this objective,\nwe reviewed the Manual, OFAC-related laws and regulations, OFAC\xe2\x80\x99s website, and banking\nindustry publications. We also obtained and analyzed the publicly-available list of civil\n\x0cMr. Roger T. Cole                                     2 of 4                             September 28, 2007\n\n\npenalties and enforcement actions issued by OFAC. We met with management and staff from\nother federal bank regulatory Inspector General offices who were performing similar work,\nand reviewed their reports related to OFAC compliance. In addition, we interviewed OFAC\nofficials, and Board and Reserve Bank management and staff responsible for overseeing and\nperforming OFAC examinations.\n\n      Our inspection procedures focused on assessing examiners\xe2\x80\x99 compliance with the OFAC\nexamination guidance included in the Manual. Specifically, we reviewed examination\nworkpapers for evidence that examiners applied procedures that the Manual refers to as \xe2\x80\x9cCore\nExamination Procedures\xe2\x80\x9d in conducting their risk-focused OFAC reviews. A high-level\nsummary of the core examination procedures which formed the basis of our review is\nincluded as an attachment to this report. We did not independently verify the accuracy or\neffectiveness of the examined institutions\xe2\x80\x99 OFAC programs.\n\n      We conducted our fieldwork at the Board and three Federal Reserve Banks\xe2\x80\x94Atlanta,\nNew York, and San Francisco. We selected a judgmental, representative sample of OFAC\nexaminations based on criteria that included geography, asset size, and degree of international\nexposure. Out of a universe of 420 examinations performed from September 1, 2005, through\nJune 1, 2006, we selected 49 examinations to be reviewed, using the Manual version issued on\nJune 23, 2005. 1 The sample included state member banks, bank holding companies, Edge Act\ncorporations, foreign banking organizations, and institutions with BSA/AML or OFAC\nprograms that were rated as inadequate in the Federal Reserve\xe2\x80\x99s National Examination\nDatabase. 2 These institutions had asset sizes ranging from $7 million to $500 billion. Our\nfieldwork was conducted in accordance with the Quality Standards for Inspections issued by\nthe President's Council on Integrity and Efficiency and the Executive Council on Integrity and\nEfficiency.\n\n      In general, we found that Federal Reserve examiners were performing the Core\nExamination Procedures in accordance with the guidance contained in the Manual, and in a\nmanner that was commensurate with the financial institution\xe2\x80\x99s BSA/AML and OFAC risk\nprofiles. Examination workpapers contained documentation indicating that examiners reviewed\nOFAC-related policies and procedures, risk assessments, the results of transaction testing, and\nprior deficiencies identified by OFAC, bank internal and external auditors, or regulators.\nAccordingly, nothing came to our attention to indicate material examiner noncompliance with the\nguidance contained in the Manual. Therefore, we are concluding our work without making any\nrecommendations. However, it is important to note that our conclusions are limited solely to the\nexaminations selected for our sample.\n\n\n\n\n      1\n        A subsequent revision released in July 2006 added OFAC-related guidance that was limited to examiner\nreviews of automated clearing-house transactions.\n      2\n         The National Examination Database is specifically designed to support bank supervision. Among other\nthings, it includes data gathered during examinations and inspections, such as financial information, ratings, and\nregulatory compliance actions. A specific field in the database indicates whether a financial institution\xe2\x80\x99s OFAC\nprogram is adequate or inadequate.\n\x0cMr. Roger T. Cole                            3 of 4                     September 28, 2007\n\n\n      We presented our inspection results to members of your senior staff on September 27, 2007.\nMajor contributors to this report were Mr. John F. Ayers III, Senior Auditor and Project Leader,\nMr. David K. Horn, Auditor; Mr. Alvaro R. Soto, Auditor; Ms. Jennifer A. Rosholt, Auditor; and\nMr. Anthony J. Castaldo, Jr., Assistant Inspector General for Inspections and Evaluations. We\nare providing copies of this report to Board and Reserve Bank officials. The report will be added\nto our public web site and will be summarized in our next semiannual report to Congress. Please\ncontact me if you would like to discuss this report or any related issues.\n\n                                           Sincerely,\n\n\n                                            /signed/\n\n\n                                     Elizabeth A. Coleman\n                                       Inspector General\n\ncc:   Governor Randall S. Kroszner\n      Governor Frederic S. Mishkin\n      Mr. William Rutledge\n      Mr. William Estes\n      Mr. Steven Hoffman\n\x0c                                                                                   ATTACHMENT\n\n\n                           High-Level Summary of FFIEC\xe2\x80\x99s\n                     OFAC-Related Core Examination Procedures\n                  From the Bank Secrecy Act/Anti-Money Laundering\n                                Examination Manual\n1. Written OFAC       Did examiners determine whether the board of directors and senior management of\n   Procedures         the bank have developed policies, procedures, and processes based on their risk\n                      assessment to ensure compliance with OFAC laws and regulations?\n2. Risk Assessment    Did examiners consider:\n                      A. The extent and method for conducting OFAC searches of each relevant\n                          department/business line?\n                      B. Conducting OFAC searches of account parties other than accountholders?\n                      C. How responsibility for OFAC is assigned?\n                      D. Timeliness of obtaining and updating OFAC lists or filtering criteria?\n                      E. The appropriateness of the filtering criteria used by the bank to reasonably\n                          identify OFAC matches?\n                      F. The process used to investigate potential matches?\n                      G. The process used to block and reject transactions?\n                      H. The process used to inform management of blocked or rejected transactions?\n                      I. The adequacy and timeliness of reports to OFAC?\n                      J. The process to manage blocked accounts?\n                      K. Record retention requirements for OFAC-related documents?\n3. Independent        Did examiners determine the adequacy of independent testing and follow-up\n   Testing            procedures?\n4. Training           Did examiners review the adequacy of the bank\xe2\x80\x99s OFAC training program based on\n   Program            the bank\xe2\x80\x99s OFAC risk assessment?\n5. Banks\xe2\x80\x99 Response    Did examiners determine whether the bank has adequately addressed weaknesses or\n   to OFAC            deficiencies identified by OFAC, auditors, or regulators?\n   Deficiencies\n6. Transaction        Did examiners consider:\n   Testing            A. The filtering process used to search the OFAC database?\n                      B. The filtering criteria used to search the OFAC database, the timing of the search,\n                          and documentation maintained evidencing the searches for appropriate\n                          transactions that may not be related to an account?\n                      C. For banks using an automated system, the timing of when updates are made to\n                          the system?\n                      D. For banks not using an automated system, evaluating the process used to check\n                          the existing customer base against the OFAC list and its frequency?\n                      E. The bank\xe2\x80\x99s resolution and blocking/rejecting processes for a sample of OFAC\n                          matches?\n                      F. Completeness and timeliness for a sample of reports to OFAC?\n                      G. That the banks maintain adequate records of amounts blocked and ownership of\n                          blocked funds for banks required to maintain blocked accounts; and that banks\n                          pay a commercially reasonable rate of interest on all blocked accounts, and\n                          accurately report required information annually to OFAC? Examiners should\n                          also test the controls in place to verify that the account is blocked.\n                      H. The handling and the resolution of false hits?\n7. Unreported         Did examiners identify any potential matches that were not reported to OFAC,\n   OFAC               advise bank management to immediately notify OFAC of unreported transactions,\n                      and immediately notify examination supervisory personnel.\n   Transactions\n\n                                                                                                              4 of 4\n\x0c"